Cyber Essentials Guide – An in-depth look at passing first time.

This Cyber Essentials guide, along with example answers, has been written by a Cyber Essentials Lead Assessor and is intended to help those companies wishing to certify with Indelible Data Limited. The purpose is to help clients get the submission right at the first attempt and save time. Though this document has not been issued by, or on behalf of, The National Cyber Security Centre (NCSC) or the NCSC’s sole Cyber Essentials Partner, IASME, it has been compiled by a Lead Assessor with extensive knowledge of the scheme. Information in this Cyber Essentials Guide is subject to change without prior notice.


For further details to help you prepare for Cyber Essentials Plus assessment, please familiarise yourself with this guide first, then go to our Cyber Essentials Plus checklist blog.

You may also find helpful information in our Cyber Essentials FAQs

Contents

Overview

Completing the Cyber Essentials question set can, at first, appear daunting. This guide helps take away the uncertainty, guides the applicant through the Cyber Essentials Basic Level submission process and is split into 3 sections:

      1. Describing the journey from initial enquiry through to final submission and subsequent assessor feedback
      2. Helping to scope the assessment
      3. Addressing the requirements of the Cyber Essentials questions and explaining areas where most applicants either misunderstand or simply do not respond to the questions as comprehensively as expected.

The aim is to ensure submissions are not made until the applicant is confident all the questions have been completed correctly – hence increasing the chances of passing the submission first time!

Note: It is tempting to just jump to section 3 and address the questions, however if you have not defined the scope correctly, then the questions cannot be assessed properly.

The question-sets on the portal each have an associated version name. From April 28th 2025 onward, it is called “Willow”.

This guide covers both the Montpellier and Willow versions of the question-set.

Change Log

10/4/2025 Update to Willow version and noted that Android 12 is now officially End of Life and Mac Ventura is no longer supported

07/11/2024 Confirmation that iOS 15 and Android 11 are no longer supported.

03/01/2024 Removed all references to the Evendine question set and added further clarification to the use of admin accounts, Privilege Access Management tools, and use of sub-sets.

24/4/2023 Updated to reflect the Montpellier question set. Key differences, compared to Evendine, include:

  • ‘Firmware’ clarification (You only need to demonstrate supported firmware on Firewalls and Routers).
  • No need to declare model numbers of End User Devices – Only for firewalls and routers.
  • Clarification on BYODs and third-party devices.
  • There are now 3 questions relating to unsupported software – there such software must be moved to a sub-set.
  • Device unlocking / brute force protection must only meet vendor defaults if they do not meet Cyber Essentials requirements.
  • Sandboxing as a protection against malware has been removed.
  • Multi Factor Authentication questions have changed to clarify the position where a vendor does not provide the option for MFA.
  • Thin clients are now marked for compliance.

3/4/2023 Android 10 is no longer supported. Documentation amended to reflect this

17/10/2022 Official Position on devices with unsupported firmware. If the device cannot run a supported Operating System, then it is non-compliant. Assessors check the manufacturer’s website for this. If they find that the manufacturer is “no longer supporting”, or has “not tested” the device against the latest updates to a supported Operating System, then an advisory will be given.

17/10/2022 Confirmation that Apple are maintaining dual support for iOS15 and iOS16 – therefore older phones such as iPhone 7 are still accepted (despite some articles in the press stating the contrary)

17/10/2022 MacOS support for Catalina to drop when MacOS13 Ventura is released

17/10/2022 Apple X-protect (the built in AV on MacOS) is now accepted.

25/05/2022 Updated the guidance on contractors/freelancers

23/03/2022 Clarified the segregation requirements for Thin Clients.

09/03/2022 Updates to A7.6 in regards to shared local Administrator accounts.

26/01/2022 Evendine updates applied

04/01/2022 Changes have been added to reflect the Evendine requirements that are relevant to every submission that is created on the portal on or after the 24th January 2022.

09/08/2021 Scoping of mobile devices updated to state, unambiguously, that any mobile device accessing the same organisational data as the in-scope laptops/desktops, for example email, OneDrive are in scope.

15/06/2021. included A1.1, A1.2, A4.1, A4.6, A5.4 and A6.4.2 that didn’t originally have any remarks. Also added a list of common Operating systems and devices that fail in section 6.1 and written more details on what is expected of the “process” type questions in section 7.

10/05/2021. updated “Contractors or staff supplied by outsourcing companies that use their own equipment” to reflect current requirements.

30/4/2021 Added further clarification to scope definition (starting with the who company and excluding networks rather than starting with a smaller scope and adding network and including mobile devices that access corporate data – whether it resides on the in-scope network or not).

13/4/2021 Declaring host-based firewalls in A2.9 in light of changes mentioned in Changes made on 9/4/2021

9/4/2021 Descoping home routers and any boundary router on a network that is not managed by the applicant.

1/2/2021

  • An increasing number of companies (especially the larger organisations) are receiving an “overall fail” due to mobile devices that are unable to run supported operating systems. Current supported Mobile Operating Systems are, at minimum Android 13 and/or iOS 16. The logistics involved in remediating such  issues can be time consuming, especially as staff are working from home, so we recommend that assembling a mobile device inventory is one of the first things that a company does in order to meet contractual deadlines (then, of course, ensure the devices are patched up to date).
    Whichever type of mobile device you have, if it connects to the internet, it must be capable of running a supported Operating System for it to be compliant with Cyber Essentials.
  • IASME have informed us of the latest advice from Apple on their approach to iOS support: The only version in planned, or regular, support is the latest version. All the iOS 12 updates have been for unsupported devices like the iPhone 5 and iPhone 6. If the device cannot install iOS 16 then the device is unsupported.

Further helpful Cyber Essentials resources can be found at the NCSC’s Website.

Full access to this guide is part of our Cyber Essentials Basic – SILVER and GOLD PACKAGES or can be purchased separately in our shop

Existing clients and Trusted Partners will have received login instructions by email.

Back to contents

Section 1. Applying for Cyber Essentials Certification

Your journey can begin without even getting in touch with us at all. There is a free-to-download spreadsheet version of the Cyber Essentials questions available on our website to help you on your way: https://www.indelibledata.co.uk/free-cyber-essentials-questionaire-download/

Please feel free to use the spreadsheet to help you however you wish – many customers use it as a planning and scheduling tool to help identify areas of concern and address them accordingly.

All questions must ultimately be entered into an online portal to achieve certification. There is no way of importing the contents of the spreadsheet questionnaire into the portal and we are no longer able to offer a service to input this on your behalf.

Just for clarity, you do not need to download the spreadsheet version of the questionnaire – it is there solely to help.

When applying for Cyber Essentials please visit the shop to receive a login to the assessment portal.

A few details are taken and, once payment is made, a login to the portal is emailed and a password sent separately via SMS.

Simply login to the portal and respond to the Cyber Essentials questions…. But not until you have read the next section of this guide where we describe the common mistakes made!

If your submission does fail, don’t worry – just take a look at the assessor feedback, implement the required changes and resubmit. If this is done within 10 working days, there is no re-submission charge. We will help, as much as we can, to give you all the information you need to rectify the situation – but if you need further help to implement controls, then we suggest you contact one of our trusted partners who offer cyber essentials help and support.

It should be said that most failures are due to non-compliant answers – rather than non-compliant systems – and these can often be rectified within a few days of receipt of the assessor feedback. Trusted partners can also help complete the questionnaire in a compliant way.

We do, on occasion, fail companies outright when we find such things as unsupported computer or mobile device Operating Systems that are likely to take much longer than 10 days to rectify. If something like this occurs with your submission – we urge you to keep us informed and work with us to help us understand the issue.

Indelible Data Limited works with many independent Practitioners and Trusted Partners who help clients achieve certification. Many Trusted Partners offer a turn-key solution to certification. This includes registering your company on the portal, completing the questionnaire on your behalf and working with us to clear-up any grey areas that might arise to ensure a smooth path to certification.

Back to contents

Section 2. Scoping the Cyber Essentials submission

Things to include and scenarios to watch out for

Here are the common issues we find regarding the scope. We urge you to read this section carefully before submission – it will help to reduce the time taken for your company to achieve certification.

Back to contents

Certifying the whole organisation

When certifying the whole organisation, every device that can either access the internet, controls the flow to the internet (router/firewall), or is visible from the internet is in scope. Network switches are not in-scope of assessment.

Back to contents

Certifying part of the organisation by use of a sub-set

Please note that companies are only able to apply for the free cyber liability insurance if “whole organisation” has been chosen.

If you are only certifying part of your organisation in order to fulfil a contract, we recommend that you check with the procuring company that they are are happy with the scope that you propose.

You cannot de-scope individual devices by simply blocking their internet access via the boundary firewall.

De-scoping devices:

  • To achieve “whole company”, move devices to a segregated sub-set (separated by VLAN or Firewall) and remove internet access from that sub-set.
  • To achieve “partial company”, you could:
    • move devices to a segregated sub-set, give that sub-set a name (e.g. “workshop network”) and write the company name e.g. “ACME Ltd excluding workshop network”. It is still permissable for the devices on the workshop network to access the in-scope networks.
    • Or, give the in-scope sub-set a name, e.g “Development network” and exclude the other networks than cannot access it, e.g. “Development network excluding all other networks”. In this instance, devices on the workshop, corporate and training networks can still access the development network. This may sound counter-intuitive, however, Cyber Essentials scopes require “network boundaries” and the presence of a VLAN and/or physical firewall is sufficient to achieve this

If applying for “whole company” you may:

  • connect to a Remote Desktop Server (RDS) running an unsupported operating system, from an “in-scope” device, as long as the RDS is on a sub-set that cannot access the internet.
  • connect to a Database Server running on an unsupported Operating System if the Database Server resides on a sub-set that cannot access the internet.

Important note: a company will not comply with Cyber Essentials if applying for “partial company” where devices on an in-scope sub-set connects to a Remote Desktop / Virtual Environment that resides on an out-of-scope sub-set to access the internet or receive emails etc.

Sub-sets must be segregated by use of either Firewall and/or VLAN.

We advise that you make every effort to apply as many of the Cyber Essentials controls as possible to any sub-set that has been removed from scope.

Cloud Services

We define Cloud Services as any cloud hosted service where you are in charge of adding/amending users or administering access rights. So, for example, you do not need to mention the IASME Portal as a Cloud Service as you are simply consuming that service as a user, rather than administering it.

If you use a Cloud Service from an in-scope device, then you cannot exclude that Cloud Service if it is accessed by devices from the in-scope network.

Different types of Cloud Services:

  • Software as as Service (SaaS). These are generally the dropbox, office or email applications that generally run from a web browser or synchronize to the local computer’s filing system. The user has no say on how the servers are patched – but generally have the ability to configure access controls.
  • Platform as a Service(PaaS). Commonly, these are presented as operating systems that are maintained by the vendor, however the user is in control of the applications. This platform is commonly used by Application Developers
  • Infrastructure as a Service (IaaS). The user is in control of virtual servers and a virtual network upon which they can install software. The user is typically required to maintain the environment (including patching the OS and applications)

When a company is only certifying a “sub-set” of the organisation, only mention the cloud services accessed from the devices present on the sub-set.

Companies applying for more than one legal entity to be certified

We often assess companies that, for contractual reasons, require the certificate to cover more than one legal entity name. For example, ACME Wholesale Ltd may also require ACME Logistics Ltd to be Certified. If this is the case, the following options are available:

      • If there are more than one company name but it is effectively exactly the same company with only the name being different then the customer just needs to write a letter, signed by a board member to say everything except the name is the same. Then we issue extra certificates free of charge.
      • If the company is different in any other way – different staff or different IT equipment then they need a new assessment because the answers will be different.
      • If the two legal entities do not have a network boundary between them then they have to both be named on the certificate and the scope is both companies.

Back to contents

Scoping Networks

Cyber Essentials scope boundaries are based on networks – not buildings or locations. So it is not compliant to scope “Whole organisation excluding London office“, however, if the London office is on its own network, separated by VLAN or Firewall, then you may state “Whole organisation excluding London office network”, or “Whole organisation excluding London network”.

Start with the whole company and work backwards if required.

  • Exclude networks where required (again, they must be bound by either a firewall or VLAN)
  • You must include all mobile devices used by whole company (or by the users of the scoped network) that access company information including email / cloud services. To be clear, even if the company has scoped-down to a particular network, any mobile device operated by a user of that network, is in scope if it accesses company information. This includes BYOD, or company owned devices, that access emails, Onedrive or MS Teams etc.
  • An ideal scope would be “Whole company” – but some companies have networks that contain Operating Systems that cannot be patched and must be excluded. We therefore encounter many scopes that say “Whole company excluding testing lab network” – which is fine as long as the network has a VLAN or Firewall as its boundary.

You can still apply for “whole organisation” and run a guest network. There is no need to to say “Whole organisation excluding guest network” as long as company devices do not attach to the guest network.

Scoping can be easy, or a very complex task. We recommend locating the part of this section that best fits your company’s scenario rather than reading the entire scoping section. For example, if your company meets the “Micro-companies where the head office is the home” description below – then it is likely that you may find enough information to help you in that area – and then move on to section 4.

 The larger the organisation, the more components of sections 1-3 will likely apply.

Back to contents

Identify all networks managed by the company

Networks can include:

      • Office networks
      • Virtual / Cloud infrastructure
      • Home offices where the company has provided the routers/firewalls and is therefore in charge of that network

For these networks, all devices that are connected are in scope if they contain company data and any of the following:

      • Have standard user accounts that connect to the internet interactively (such as web browsing or opening emails).
      • Can be seen from the internet (often due to a port forwarding rule on the firewall)
      • Are at the boundary of the network controlling the flow of information to the untrusted network (typically this is a boundary firewall connected to the internet)

Back to contents

Identify those networks not managed by the company and decide whether boundary firewalls need to be in scope

      • Shared office facilities (such as WeWork etc) – You do not need to specify the boundary firewall if the facilities management company will not divulge information, however you will need to answer the firewall questions and answer them in relation to the  host-based firewall of each device.
      • Internet Cafes – no requirement to declare the boundary firewall – but must have host-based firewall enabled that are compliant with Section A4.
      • Home users (using non-company managed network equipment) do not need to declare the home-router – but must have host-based firewall enabled that are compliant with all the questions asked of hardware firewalls in Section A4)

Back to contents

Shared office facilities

For those companies with  staff based in shared office facilities that connect to cloud services such as Office 365, G-Suite or Dropbox etc, we would prefer that a firewall is installed in-front of your company machines (so that you can then manage a “company” network), or that you ask the facility to provide a Virtual Local Area Network (VLan) for you, but we appreciate that neither of these can always be achieved without issue. So:

      • For shared offices with a segregated network (where either VLan or Firewall has been implemented to separate your company from other companies), all devices on that network are in scope – it should be treated as a company managed network described above.
      • For devices not on a company managed network (i.e. they just connect straight onto to the shared office facility’s network along with other devices from other companies) then your company’s devices are permitted to use a host-based firewall to separate each company device from other untrusted machines on the network. In such circumstances, it is only each company device that is in scope, rather than the whole untrusted network. You must ensure that the Host-based/Personal firewall is configured to not allow any unsolicited inbound connections (this is often achieved by setting the network environment to “public” – but check with your firewall vendor for the correct settings).

As the shared office provider’s router/firewall is controlling the flow of information to the internet – it is in scope of the questions. You must therefore have sought assurances that all relevant questions from section A4 have been met:

      • They have changed the default password on the device to meet the requirements.
      • They change the password when they believe it has been compromised.
      • They only allow services that are accessible from the internet that have a documented business case.
      • The firewall configuration settings are not accessible over the internet – unless protected by multi-factor authentication or can only be accessed by trusted IP ranges.

We appreciate you may not always get a response from the Facilities Management company, so you will only need to list the make of the firewall supplied by the shared office facility in A2.9 and ensure the controls have been configured in section A4, if the Facilities Management company are willing participants. We expect the applicant to approach the Facilities Management company to get the information, but if the shared facilities provider is not responding to calls, or unwilling to divulge the information – then the applicant can rely on properly configured host-based firewalls, or a hardware firewall separating the devices from other devices on the network – and not declare the facility’s boundary firewall. If  relying on a host-based firewall, all the questions that are asked of hardware firewalls must be answered in relation to that host-based / software firewall.

You may need to write a letter/email to the facilities management company in advance of submitting your questionnaire – so we recommend this is one of the first tasks that is done if you work in a shared office.

Some providers of shared offices are reluctant to divulge this information and state that “we are ISO 27001 certified”. Unfortunately, the fact that they have ISO27001 is not an acceptable mitigation for providing details for network equipment. We have had several applicants where well-known providers manage their facilities, and, they have  provided applicants with the required information.

Back to contents

Student or pupil networks within a training or school environment

As students are not employees of the company, their BYOD do not need to be declared on the questionnaire.

For school or college owned devices, if the student network is on a different subset to the main school administration network, then it can be excluded if you wish take student devices, or the cloud systems they access, out of scope. This would mean the scope would read similar to: “Whole organisation excluding student network”

If the student/training devices are on the same network, then they must be in-scope for the assessment. We recommend separating student networks from corporate/business information for this reason. Remember, if a student device is in scope and accesses Cloud systems such as Office 365, then Multi Factor Authentication must be in place, which can be a challenge for younger children or those with special educational needs.

We also appreciate that some authorities require the whole organisation to be covered. So please check if this is a requirement before excluding student networks.

Back to contents

Working from hotels or internet cafes etc

For those devices that work in other, non-company managed, locations, such as staff working from Hotels or Starbucks etc, we prefer that the company uses a VPN to “tunnel through” the untrusted infrastructure, but again, we understand that this cannot always be achieved, so:

      • On an untrusted network such as Starbucks (where the company is not in charge of the network infrastructure) the devices are permitted to use a host-based-firewall to separate that device from other untrusted machines on the network. In such circumstances, it is only the device that is in scope rather than the whole untrusted network. We strongly advise the use of a VPN in such circumstances, but this is not required to achieve Cyber Essentials Certification.

Back to contents

Staff working from home

The only devices that require to be declared in scope are those devices accessing organisational data or services. The controls for firewalls in section 4 must be applied to host-based/personal firewalls.

Home users cannot be de-scoped if they access company information via Cloud or company hosted services. For example, your scope cannot say “ACME limited excluding home users”.

Ideally a different Wi-Fi such as a “guest network” should be in use by other devices around the house, but this is not essential to receive certification. As other users in the house are not employees of the company, there is no requirement to declare their devices.

Home router / firewalls are not in scope of assessment unless the company has provided it (i.e. it is not the ISP provided device). The ISP provided device is only in scope when it is installed on work premises. If you are a sole trader, you may wish wish to include the device if it was purchased for the company.

Don’t forget:

      • Answer all relevant router/firewall questions (such as changing default passwords, no internet accessible configuration allowed, no ports open that aren’t required, etc) for the firewall built in to the computer. So, changing the computer’s default administrative password is often the equivalent to changing the host-based firewall’s password.
      • Within the home network, users do not need to segregate from the kids’ Xbox or other personal home computers with a physical firewall – but the home user must have a properly configured Host-based Firewall.
      • Even if the router/manufacturer claims to have set a unique password for that device, it must be changed by the user in order to be compliant with Cyber Essentials requirements if the device is provided by the organisation requiring certification.
      • All devices accessing company information are in scope (so must be declared on the questionnaire) – this even includes personal devices accessing web-based company email and mobile phones accessing MS Teams or email etc.

Back to contents

Micro-companies where the head office is the home

Even though the company is, technically, still in-charge of the network if it has paid for the ISP/ home router service – not every device on that network is deemed in-scope. Ideally a different Wi-Fi, such as a “guest network” should be configured – but not essential for certification

The only devices that require to be declared in scope are the devices accessing organisational data owned by the company or a member of staff. The controls for firewalls must be applied to the software firewall.

You must respond to all questions – none may be answered as N/A even if you are a sole trader – you must manage your access accounts and document accordingly (see section A7 of the question set below for guidance.)

Back to contents

Companies that use an outsourced IT company for support

It is the applicants responsibility to instruct the 3rd party of the Cyber Essentials requirements and make sure they are applied. We cannot accept responses that simple state “This is handled by our IT support provider”. For process questions (such as creating or removing accounts, adding/amending firewall rules etc), the applicant must state who informs the IT company, and who checks the process has been carried out correctly and confirm that this is formally documented.

Technical requirements (for example, where the applicant must not use Administrative accounts for web access) must also be answered in relation to the IT provider when they are connected to the applicant’s network.

So, for example, if the company sets up an account for the IT company to use for support, the applicant must check with the IT support company how they ensure passwords are not shared among the IT company staff.

Many IT companies have a support solution that requires just one login to the client network – then IT staff use unique logins to access that – this is acceptable within the scheme.

For Azure accounts (and other cloud infrastructure support), it is possible to create a single Admin account and delegate access to individual IT company accounts. This means that the single account is not being shared.

Remember: all accounts created on company resources (hardware or in the cloud) belong to the company and must be managed accordingly in terms of password quality, MFA and all other account related questions.

Back to contents

Contractors, Freelancers and Students not employed by the company and use their own equipment

There is currently no requirement within Cyber Essentials to force a third party company to include their devices in order for your company to be compliant. It is therefore possible to exclude third party devices from scope – even if they access company data via cloud or on-premise services.

Interestingly, this means that, if individual companies within a group are their own legal entities, then the devices belonging to one company can be excluded from scope even if they reside on the same network. So, ACME Rail Ltd and ACME Shipping Ltd can sit on the same network, however ACME Rail Ltd do not need to declare ACME shipping in the questionnaire as it is a third party.

All accounts that have been created on your systems (including cloud systems), for the third party to use, are still in-scope and must follow the Cyber Essentials requirements.

The applicant currently has three options:

  1. Treat the third-party devices as BYOD and include them in the scope of assessment
  2. Mandate third-parties to obtain CE as part of their supply chain requirements
  3. Do not include the third-party devices in scope.

Whilst the majority of companies choose option 3, we strongly recommend that any third-party device attaching to the in-scope network is classed as BYOD and therefore have all the controls applied.

The following personally owned devices are not in-scope of Cyber Essentials if they belong to:

  • Students
  • MSP Administrators
  • Third-party contractors
  • Customers

However, the following personally owned devices are in-scope of Cyber Essentials if they access company data or services and belong to:

  • Employees
  • Volunteers
  • Trustees
  • University research assistants

Back to contents

Potential ways of reducing the scope

We urge companies to always include the whole organisation wherever possible but understand that, due to size and/or time constraints, some areas of the business cannot be included. There are certain conditions under which certain devices or networks can be removed from scope described below.

Removing Servers from scope

Servers are in scope if they reside on the in-scope network – whether they connect to the internet or not. Servers may only be excludedif they are placed on a different sub-set. Whole company certification can only be achieved if that sub-set has no internet access. Please see Certifying part of the organisation by use of a sub-set earlier.

Back to contents

Removing End-User Devices from scope

If you wish to exclude devices from scope they must be placed in a sub-set (segregated by VLAN or Firewall) – but if this is performed, then you can only go for “partial company” scope if these devices can still access the internet. In this case you would need to write and “excluding” clause such as “Acme Limited excluding training network”.

If the segregated sub-set has no internet connectivity, then you may apply for “whole company” certification and you will not require an “excluding” statement.

Back to contents

Networks containing endpoints that are non-compliant

If your company has networks that you wish to take out-of-scope of Cyber Essentials, say a staff training network has legacy software on it (and has access to the internet), then this can be achieved, but you would not be able to certify as “whole company”. The out-of-scope network must be bound by a firewall,or VLAN in order to exclude it. You cannot, for example, declare the Cyber Essentials scope as “Windows 11 devices only” if you have Windows XP devices on the same network.

Back to contents

Guest Wifi within the organisation

Segregated Wifi “guest access” networks can be excluded from scope and still allow the company to choose “whole organisation” as long as no devices containing company data use the guest Wifi. There is no need to state “… excluding guest wifi”.

Back to contents

Multi-site companies wanting to scope-down to certain UK operations only

To help understand how to limit the scope down to certain operations, we’ll take the example of  wanting to de-scope the London operations and only certify the Birmingham office.

This can be achieved in Cyber Essentials even if London was the Head Office and the IT team there can remotely manage the devices in Birmingham, as long as they have a firewall or other packet level control (VLAN/ACL) in place and documented business reasons for that access. Effectively the London site would be classed as “internet traffic”, with the UK company on the trusted side of the firewall.

If staff at the London office can access the same data as Birmingham that is stored on Office 365, or a back-end server in a Data Centre, London can still be excluded from scope. You would have to answer “No” to whole organisation and write “Company name excluding London Office” in the scope description.

However, if the company operates a homogenous network (say MPLS), so all devices can effectively see each other, a firewall would need to be in place to separate the London office from the in-scope devices in the Birmingham office.
If users in the London office connect to the Birmingham office via VPN, the VPN connection must to terminate on, or before, the firewall that forms the boundary of the Birmingham office.

Back to contents

Multinational companies wanting to scope-down to UK operations only

This can be achieved in Cyber Essentials. For example, even if the head office is in the US and the IT team there can remotely manage the devices in the UK, we can still scope just the UK Operations as long as they have a firewall or other packet level control (VLAN/ACL) in place and documented business reasons for that access. Effectively the overseas sites would be classed as “internet traffic”, with the UK company on the trusted side of the firewall.

If staff at the Overseas office can access the same data stored on Office 365, or a back-end server in a Data Centre, they can still be excluded from scope. You would have to answer “No” to whole organisation and write “Excluding [country] Office” in the scope description. However, if the company operates a homogenous network (say MPLS), so all devices can effectively see each other, a firewall would need to be in place to separate the Overseas company from the in-scope devices in the UK office.

If users in the Overseas office connect to the UK office via VPN – the VPN connection would need to terminate on, or before, the boundary firewall that forms the boundary of the UK office.

Back to contents

Web-based Virtual Desktop Services

There are occasions where staff out in-the-field need to access company resources, and you can’t be sure if their personally owned devices comply with the requirements of Cyber Essentials.

If a member of staff is accessing company information via a web service (VDI or Cloud, for example), then they are automatically in scope. You cannot de-scope a staff member accessing company information/services but you can de-scope certain third parties. See the section entitled  Contractors or staff supplied by outsourcing companies that use their own equipment for more details.

Companies may require their Virtual Desktop environment itself to be certified as part of a contract (such as an MSP offering Platform as a Service). This is fine, and the company does not need to bring all other external companies accessing that environment into scope. However, if those external companies require certification themselves (even if they just want the scope to be the VDI environment they are using), they would need their own portal account and answer all the questions regarding their company – including those that access the Virtual Desktop services.

Back to contents

Non web-based Virtual Desktop Services

All devices connecting to virtual desktops via the corporate network are in scope and must fulfill the requirements of the scheme. So, for example, even if a user just uses the RDS versions of Outlook, Microsoft Word, Chrome and Acrobat Reader every day, the machine will not be compliant if the installed versions on the device itself have not been patched accordingly – even if they are not used (so please remove unnecessary applications from the device).

Users of thin clients that can only attach to an RDP environment (i.e. we can class the terminals as dumb) are out of scope as they cannot connect to the internet by design. Should the thin client have the built-inability to connect to the internet (i.e. some have browser capability or have built-in applications such as email) then it is in scope. To keep such devices out-of-scope, then they must be moved to a subset that is  segregated by firewall / VLAN which does not have internet access.

Back to contents

De-scoping a home worker router and firewall

If a home worker is using an ISP provided router, either leased by them or the company, then that device is not in scope of the assessment.

Should the company have purchased a firewall/router for the staff member (i.e. they no longer use the ISP provided device), then that device must be included in the assessment.

A home-worker must declare a firewall/router if it has been given to them by their organisation.

Please note if the company’s offices have an ISP provided router, then this is in scope – it is only removed from scope for home users.

Back to contents

De-scoping mobile devices such as smartphones and tablets

We are often asked if mobiles can be de-scoped if they do not connect to the in-scope network – or they access company data that is unrelated to that network.

The answer is that, if they can access company services over the web (this includes data held on cloud services via 4G or other non-work managed networks) that are accessed by the in-scope laptops and desktops, then they are automatically in-scope. The only reason we envisage mobile devices being removed from scope is if they are used only for making phone calls, text messaging, receiving SMS 2FA codes or only access web services that have nothing to do with company information.

Back to contents

Scope recap

Remember, all devices are in scope if they access company data or services. This includes mobile phones and even non-company devices belonging to employees, that connect using 4G, from home or from other untrusted networks.

We cannot ask Third Party organisations to ensure their devices are compliant. The main exception to the rule is if you are a volunteer using your own device to access company information. Volunteers are in-scope, whereas contractors are not.

The only way to exclude devices is to place them in a sub-set (segregated by VLAN or Firewall).

Home user devices are always in scope if they access company data or services (including cloud services).

 

Back to contents

Section 3. Addressing the Cyber Essentials questions

The common areas of failure and clarification relate to the following questions:

      • A 2.6 (computers and associated Operating Systems)
      • A 2.7 (Mobile Devices and associated Operating Systems)
      • A 2.9 (Network equipment)
      • A 4.5 (Documented services)
      • A 6.1 (Supported operating systems)
      • A 6.2 (Supported applications)
      • A 7.7 (Use of Admin accounts and the internet)
      • A 8.1 (Malware protection methods)
      • Online declaration (this must be signed by a board level, or equivalent, individual).

So we highly recommend that you, at least, read the information below regarding those questions to help prepare those responses.

Other common areas are those questions that require a process to be described or a service to be documented. Please ensure you describe and document as appropriate. Saying that you have not implemented such things will result in a non-conformance.  Even if you are a sole trader, please document your processes where required and remember, you may not answer N/A to any question. If you feel that N/A is an applicable answer, please explain why you think it is, then we are aware that you understood the intent of the question.

Here is a breakdown of the Cyber Essentials questions in full (it is not exhaustive as we do not find common issues with every question:

Back to contents


A1.1 What is your organisation’s name (for companies: as registered with Companies House)? 

The company name mentioned here must match exactly with the company name written in the Cyber Declaration form (the last question in the question-set). These, in-turn, must match with the company name as written on Companies House (if registered). There are possible exceptions to this (for example Joint Ventures) where the responses may be different – but please either get in touch with us in such situations before submitting the response – or make a note on the portal stating why the companies are different.


A1.3 What is your organisation’s registration number (if you have one)? 
Double check this number (if registered in the UK) by entering the number here: https://find-and-update.company-information.service.gov.uk/search/companies

Scope of assessment


A2.1 Does the scope of this assessment cover your whole organisation? Please note: Your organisation is only eligible for free Cyber Insurance if your assessment covers your whole company, if you answer “No” to this question you will not be invited to apply for insurance.

If your company has networks that you wish to take out-of-scope, say a training network that has legacy software on it (that connects to the internet), then this can be achieved, but you would not be able to certify as “whole company”. The out of scope network must have a boundary, such as a firewall or a VLAN. The scope on the certificate for this example would need to include the statement “ – excluding training network”

 Segregated Wifi “guest access” networks can still be excluded from scope and still allow the company to choose “whole organisation” as long as no devices containing company data use the guest Wifi.

Remember, it is very difficult to de-scope Mobile Devices, if your company has smartphones that access company data or services, then they must be supported. If you wish to de-scope such devices because they are unsupported, please let us know ASAP how you would achieve this so we can check the method is viable. Unsupported mobile operating systems are a major cause of certification failure and often take weeks to rectify.

Back to contents

A2.4. Please list the quantities of laptops, desktops and virtual desktops within the scope of this assessment. You need only include the make and Operating System version for all devices.

The make of  the laptops and desktops must be given and Windows Operating systems must be written in full – i.e. “We have 25 DELL  laptops running Windows 10 Enterprise version 22H2.

For Macintosh computers, list the make and “flavour” of the OS – e.g. MacBook Air laptop running MacOS Big Sur”

When listing Linux Operating Systems, the sub-version must be included: e.g. Ubuntu 22.04.

 

Check that devices are selected correctly as described in the Scoping Networks section earlier.

The assessment cannot be marked if the operating system versions are not presented correctly. For Windows Operating Systems we require the “edition” (pro, home, enterprise, etc) and version (21H1, 21H2, etc). To help get this right, this is the degree of detail we require:

      • Windows 10 Pro 22H2
      • Windows Server 2012 R2
      • MacOS Big Sur
      • Linux Ubuntu 18.04

If you wish, you can provide an itemised list, or provide a sentence or two, for example:

“We have approximately 100 Windows 10 Pro machines running a mixture of versions 21H1 and 21H2 . All 8 Macs run Big Sur. Our 14 Windows servers run either Server 2012 R2 or Server 2016”.

Please check carefully, before submission, that the Operating Systems are supported.

Our assessors spend a lot of time familiarising themselves with current versions of Operating Systems and will not be able to identify unsupported or unpatched versions if they are not declared. The question will be unscored (therefore fail) if insufficient detail is given.

If an Operating System is currently unsupported at the time of application, please do not submit the responses. Our assessors cannot accept responses that state “…we are currently upgrading Windows XP devices to Windows 10 Pro 22H2 over the next couple of weeks…” Please only submit the response once the upgrade has been completed.

Our assessors will only accept “End-of-Life” Operating Systems if you declare that you have purchased Extended Security Updates (ESUs) and you must state the “Valid Until” date.

You must sign up to receive Extended Security Updates (ESUs) if you are using Windows 10 beyond the 14th October 2025.

You must also state if thin clients (designed to communicate with remote desktop services) are used together with the operating systems of these. Any Laptops/desktops connecting to the network that use Remote Desktop Services are also in scope – whether they use their own desktop to access the internet or not – and must meet the requirements of all the controls.

 

Back to contents

A2.4.1. Please list the quantity of thin clients within scope of this assessment. Please include make and operating systems.

This question is now marked for compliance. Thin clients are devices with a cut-down operating system that is optimised to share resources of other servers (such as remote desktop servers).

As with Laptops and Desktops, the Operating Systems still require updating and it is important that we get the right level of detail from you. For example, if the thin client runs a version of Windows, we need the edition and version such as Windows 10 IoT 22H2). For other Operating Systems the version is sufficient – e.g. iGel OS 12.

Back to contents

A2.6 Please list the quantities of tablets and mobile devices within the scope of this assessment. You must include make and operating system versions for all devices. All devices that are connecting to cloud services must be included.

Check that devices are selected correctly as described in the Scoping Networks section earlier.

Please ensure that all the devices that access company data (including emails) and connect to the internet have been included in the scope and have a supported Operating System.

The assessment cannot be marked if the Mobile device’s operating system versions are not presented correctly. We do not require sub-versions (e.g. iOS 16.3.1). This is the degree of detail we require for the Operating System:

      • Android 13
      • iOS 17

If you wish, you can provide an itemised list of makes and operating system, or provide a sentence or two to help paint a picture, for example:

  • “Our 70 mobile devices are a mixture of  Galaxy and LG running Android 13 and iPhones running iOS 17”.

If a Mobile Device cannot run a supported Operating System, please do not submit the responses until this has been rectified. Our assessors cannot accept responses that state something along the lines of “…we are currently upgrading Android 11 devices to Android 13 over the next couple of weeks…” Please only submit the response once the upgrade has been completed.

Currently – Only iOS 16, 17 and 18are supported by Apple. Even though older phones such as the iPhone 5 are receiving some updates from Apple (iOS 15.x) these updates are classed as supporting “legacy devices” and we have no guarantee when they may stop. The assessor can therefore not accept submissions containing, even the latest update of, iOS 15.x.

You can check that your devices are capable of running “supported” Operating Systems by visiting the following sites:

iOS:

  • https://support.apple.com/en-gb/HT201222
  • https://support.apple.com/en-gb/guide/iphone/iphe3fa5df43/ios
  • https://support.apple.com/en-gb/guide/ipad/ipad213a25b2/ipados

Android

  • https://source.android.com/security/bulletin
  • https://endoflife.date/android
  • https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices
  • https://security.samsungmobile.com/workScope.smsb
  • https://consumer.huawei.com/en/support/bulletin/
  • https://motorola-global-portal.custhelp.com/app/software-security-page/g_id/6806
  • https://lgsecurity.lge.com/security_updates_mobile.html
  • https://security.oppo.com/en/mend.html
  • https://www.nokia.com/phones/en_int/security-updates

 

Most OS End of Life (EOL) for endpoints  can be found here: https://endoflife.date but if not found, consult the following sites before submitting your response:

Back to contents


A2.7. Please provide a list of the networks that will be in the scope for this assessment.

You should include details of each network used in your organisation including its name, location and its purpose

You should also summarise any home-workers and include their internet boundary (host-based or physical firewall) that will be taken into consideration for the assessment.

You will have already answered the number of homeworkers you have in A1.7. They also need to be included in this question, along with whether any use a company provided  firewall/router or not.

For example: Main Network at Head Office for administrative use, Development Network at Malvern Office for testing software, home workers network all using ISP provided router firewalls – based in UK). You do not need to provide IP addresses or other technical information.

If you are not choosing “Whole Organisation”, de-scoped devices must be placed in a sub-set that is separated from “out-of-scope” networks by either VLAN or Firewall .

Back to contents


A2.8. Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers). You must include make and model of each device listed. 

Whilst End User Devices (such as laptops, desktops, tablets and mobile phones) collected in A2.4 and A2.6 only require the make to be submitted, Firewalls and Routers must include Make and Model. e.g. Draytel Vigor 2862.

Our assessors will look up the model number of each of the firewalls and routers supplied, to check it is supported, so please give adequate information and check with your vendor ahead of submission.

This is generally a straight-forward for companies to answer for their own equipment – but you must also answer for users in shared offices (such as WeWork) by seeking assurances from the relevant technical contacts.

We appreciate that it is sometimes difficult to get information from Facilities Management firms, so so may opt to rely on the computer’s built-in firewall in this instance and not mention their firewall at all.

We recommend requesting a segregated VLAN from other companies in the facility wherever possible, but this is not essential as long as the personal firewalls are configured correctly.

Personal Firewalls (built-in) require the same controls to be applied (such as changing default passwords ensuring no unnecessary ports are open etc) if you do not wish to declare the home-router in-scope. Please list the name of the personal firewall (e.g. built-in Windows Defender, McAfee)

If home routers are company supplied, then we require the make and model to be specified.

 

An example of a response could be

  • “… The head office network is separated from the internet by a Cisco ASA 5505 firewall.”
  • “Two of our Technical staff have been issued with Draytek 2760 firewalls. The rest of the home users use the latest router that has been supplied to them by their ISP to ensure they are supported – All controls have been correctly applied to the home routers in line with section A4”
  • “All home users are using the the Built in Windows Firewall with the exception of the IT Team who are using the ESET personal firewall  v8 – All controls have been correctly applied to the home routers in line with section A4 and are therefore not relying upon their home-router.

Back to contents

A2.9. Please list all cloud services that are provided by a third party and used by your organisation. 

You need to include details of all of your cloud services. This includes all types of services – IaaS, PaaS and SaaS. Definitions of the different types of cloud services are provided in the ‘CE Requirements for Infrastructure Document’. Please note, cloud services cannot be excluded from the scope of CE.

You need only declare a cloud system for assessment it meets the following definition:

  • It as a subscription (paid or free) service where the applicant controls who has access and/or administrative access over the cloud service. For example MS 365, Google workspace, Quickbooks, Dropbox etc.

So, for example, as the Cyber Essentials Portal does not allow control over the user accounts or admin functions, this should not be included in the responses.

If you are not applying for “Whole organisation” then only the cloud services accessed by the devices in the sub-set are in scope.

Iaas, PaaS and SaaS all now in scope for the controls that can be applied (for example. We will not ask you how Microsoft patch their OneDrive Service, however we will ask questions on such things like access controls). The “applies to” sections of the NCSC Requirements Document now includes IaaS, PaaS, SaaS for the following control themes:

  1. Firewalls (responses will most likely for IaaS and maybe PaaS – less likely SaaS)
  2. Secure Configuration (such as removing unnecessary services, changing default passwords etc)
  3. User Access Control (All different cloud types)
  4. Malware Protection (probably more IaaS and PaaS – but perhaps SaaS if the option exists)
  5. Security Update Management (most likely to be IaaS – but perhaps PaaS and SaaS as their services evolve)

The current guidance is that any cloud service that the company subscribes to (meeting the definition above) is in scope – so please list them.

  • If no cloud systems are mentioned, we will seek clarification and confirm that you are not using systems such as like Office 365, Google Docs, Dropbox, etc.
  • If no cloud systems are used, we ask that you explicitly state something like “we have no cloud systems including MS Office applications or similar”

As stated earlier, you must answer the relevant questions for each control theme that pertain to your cloud services – however, pay particular attention to the following questions, as it is not obvious how these should be answered in relation to Cloud Systems:

  • A7.6 How do you ensure that administrator accounts are used only to carry out administrative tasks (such as installing software or making configuration changes)?
  • A7.14 Have you enabled multi-factor authentication (MFA) on all of your cloud services?
  • A7.15 If no, is this because MFA is not available for some of your cloud services? List the cloud services that do not allow multi-factor authentication.
  • A7.16 Has MFA been applied to all administrators of your cloud services?
  • A7.17 Has MFA been applied to all users of your cloud services?

 

Back to contents


A2.10 Responsible Person. Please provide the name and role of the person who is responsible for managing the information systems in the scope of this assessment.

This person must be a member of your organisation and cannot be a person employed by your outsourced IT provider. Please provide the name and role of the person who influences and makes decisions about the computers, laptops, servers, tablets, mobile phones and network equipment within your organisation.

Back to contents


Office firewalls and internet gateways

Applicants can now rely on host-based firewalls to take home-routers out of scope.

  • You must still declare how many home workers there are in A1.7.
  • All the questions in A4 (Office firewalls and internet gateways) must be answered for the home user’s host-based firewall (even though the questions specifically say “Hardware firewall”). .
  • This includes those questions referring to passwords – i.e. you must not be able to perform firewall configuration changes without first entering a password. In the majority of windows and Mac set-ups, this will be achieved by having to elevate to an admin user before performing changes. So, in other words, you should be fine as long as this admin password didn’t come with the machine, and is reported if a breach is suspected etc.
  • Pay attention to A4.5 – If the home user’s host-based firewall is not set to a profile designed for “public” places then it will likely be listening for SMB requests and other Microsoft services. You will have to justify these if this is the case.
  • If you are going to declare the user’s home router (because it was supplied by the company), you do not have to answer the questions in relation to host-based firewalls as well.
  • The Host-based firewall must be switched on, even if you are behind a “declared” hardware firewall, to satisfy A4.11

Back to contents


A4.1 Do you have firewalls at the boundaries between your organisation’s internal networks and the internet?  

For home users, the host-based (personal) firewall can be thought of as the boundary firewall.

Back to contents

A4.1.1. When your devices (including computers used by homeworkers) are being used away from your workplace (for example, when they are not connected to your internal network), how do you ensure they are protected?

You should also have firewalls in place for home-based workers, if those users are not using a corporate virtual private network (VPN) connected to your office network, they will need to rely on the software firewall included in the operating system of the device in use.

The Willow version of the question simply asks “Do you have software firewalls enabled on all of your computers, laptops and servers?“.

 

Back to contents

A4.1.2. If you answered no to question A4.1.1, is this because software firewalls are not installed by default as part of the operating system you are using? Please list the operating systems. (Willow Only)

The vast majority of Operating Systems have software firewalls available, though some may not, such as some embedded Linux systems or bespoke servers. If you state that your company operates any version of versions of Windows, macOS and common Linux distributions such as Ubuntu, you must have software firewalls enabled. Just list any OS that you feel does not offer a software firewall.

Back to contents

 


A4.2. When you first receive an internet router or hardware firewall device it will have had a default password on it. Has this initial password been changed on all such devices?

This is just a Yes/No answer and the process by which you ensure the change has been carried out.

Back to contents

A4.2.1. Please describe the process for changing the firewall password?

We need, first of all, to know that the password has been changed from whatever it was shipped with. Even if this is unique to the router/firewall, it still counts as “default” in the eyes of Cyber Essentials and must be changed. If working from home, a member of the company’s IT staff may need to help with this.

We then need to know how you changed it – this can just be as simple as mentioning the router configuration page – or, for larger organisations, the process of who inform who, then who changes it and then who signs-off that it has been changed?

For smaller organisations, you can generally change the default password by logging into the web interface for the device (often located at 192.168.1.1 or 192.168.1.254)

For larger organisations with IT / Security teams, you may wish to put the process by which you ensure the default passwords have been changed. Such a process would describe the department that requests the change, the department that makes the change and the department that checks it has been carried out.

Back to contents

A4.3. Is the new firewall password configured to meet the password-based authentication requirements? Please select the option being used:

  • A. multi-factor authentication, with a minimum password length of 8 characters and no maximum length
  • B. Automatic blocking of common passwords, with a minimum password length of 8 characters and no maximum length
  • C. A password with a minimum length of 12 characters and no maximum length
  • D. Passwordless system is being used as an alternative to user name and password, please describe (Willow only)

Please select one of the above. Acceptable technical controls that you can use to manage the quality of your passwords are outlined in the new section about password-based authentication in the ‘Cyber Essentials Requirements for IT Infrastructure’ document.

If you choose option D (Willow) then it must use an authentication method that uses a factor other than user knowledge to establish identity, such as  biometric data, physical devices, one-time codes, QR codes, and push notifications. We therefore ask you to describe this so that we can see that it meets the accepted definition.

 


A4.4. Do you change the password when you believe it may have been compromised? How do you achieve this?

This question relates to Firewalls and Routers, as well as firewalls on End User Devices and services advertised by Servers by the firewall.

So, as well as describing the process to change any suspected end-user account password, also include the process for changing firewall and associated services credentials as these may be performed by different roles.

Please do not forget to include the process here. Simply stating “… we call our IT support team immediately” or “our security team follow the procedures covered by our incident response policy” is not sufficient.

As well as changing the firewall password if a breach is suspected, we need to know that any compromised login advertised by the firewall is addressed immediately (this could be a mail account on port 25 or SFTP service on port 22 etc). If you don’t have any user accounts that can be accessed through the firewall, just state that is the case.

We are looking for a process that informs us that the incident has been reported and the password has been confirmed as changed.

  • Something as simple as “The user would inform IT who would then raise this as an incident, block the account and let the user know the next steps to change the password” would be sufficient.

 

 Back to contents


A4.5 Do you have any services enabled that are accessible externally from your internet routers or hardware firewall?

This response will likely match the response to A5.5 and remember that VPNs count as a “Yes”

For the Willow version the question is: Do you have a process to manage your firewall? 

Back to contents


A4.6 If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required?  Describe the process. 

We are looking for a process along the lines of:

  • an individual raising a ticket stating a port needs to be closed and getting confirmation back saying this has been done.
  • for smaller companies, a description of the method used to address this (such logging in to the firewall portal or local firewall settings) and making the change.

The Willow version of the questionnaire asks “Have you reviewed your firewall rules in the last 12 months? and then to describe your review process. (which requires a description of how regular reviews are conducted).

Secure  configuration


A5.1 Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, computers, servers, tablets, mobile phones and Cloud Services? Describe how you achieve this.

Please don’t forget to describe the process here- for example, a list of applications may be provided by your company for an outsourced the IT Company to work towards, and only provision machines with the correct software, or use specific build images or checklists etc. Also need to check your cloud services and disable any services that are not required for day to day use.

We not only need to know the process of ensuring any “bundled” software is removed before deployment – but also how you ensure unnecessary software is removed going forward. Such as via systems reviews, company policy etc.

Back to contents


A5.3 Have you changed the default password for all user and administrator accounts on all your desktop computers, laptops, thin clients, servers,tablets, and mobile phones that follow the Password-based authentication requirements of Cyber Essentials?

We recommend having a password of at least 12 characters anyway – even if you have MFA or a deny list configured.

Device unlocking PINs can be a minimum of 6 characters, however if the unlocking credentials can be used elsewhere (e.g. MS365 account) then that passwords must either be:

  • a minimum of  8 characters with MFA enabled, or a deny list of common passwords.
  • a minimum of 12 characters.

Back to contents

A5.4. Do you run external services that provides access to data (that shouldn’t be made public) to users across the internet? 

This question relates to those services that you are in charge of that could reside on your servers in a data-centre or on-premise. You may, for example host an on-premise Microsoft Exchange Server, VPN or a FTP server for example.

A5.5 If yes [to A5.4] which option of password-based authentication do you use?

  • A. multi-factor authentication, with a minimum password length of 8 characters and no maximum length.
  • B. Automatic blocking of common passwords, with a minimum password length of 8 characters and no maximum length.
  • C. A password with a minimum length of 12 characters and no maximum length.
  • D. Passwordless, please describe (Willow)

For Option B – please ensure, wherever possible, that no maximum length has been set. We do not require you to perform development or incur extra cost if this option is not available.

If you choose option D (Willow) then it must use an authentication method that uses a factor other than user knowledge to establish identity, such as  biometric data, physical devices, one-time codes, QR codes, and push notifications. We therefore ask you to describe this so that we can see that it meets the accepted definition.

Back to contents

A5.6. Describe the process in place for changing passwords when you believe they have been compromised

Please let us know who would would be likely to detect this, who would they report it, how this would be done (e.g. informing the IT department by raising ticket) and how you are made aware that the change has been made (e.g. update to a ticket – or receipt of an email etc)

Back to contents

A5.7. When not using multi-factor authentication which option are you using to protect your external service from brute force attacks? 

The external service that you provide must be set to slow down or stop attempts to log in if the wrong username and password have been tried a number of times. This reduces the opportunity for cyber criminals to keep trying different passwords (brute-forcing) in the hope of gaining access.

We require either:

  • Multi-factor authentication
  • lock-out of the account after 10 invalid attempts
  • Throttling of the attempts (where the attacker may not make more than 10 invalid guesses in 5 minutes)

 

Back to contents


A5.9. When a device requires a user to be present, do you set a locking mechanism on your devices to access the software and services installed? 

You may use locking mechanisms such as biometric, password or PIN, need to be enabled to prevent unauthorised access to devices accessing organisational data or services. The device must be locked when not in use to be compliant with this question.

Back to contents

A5.10. Which method do you use to unlock the devices? 

You will probably be using one of the following required controls:

  • Biometrics (with an underlying PIN in case the biometrics fail)
  • Password or PIN

If credentials are solely to unlock a device, a minimum password or PIN length of at least 6 characters must be used. Biometric authentication is permitted – however the underlying passcode (should the device not recognise you) must be a minimum of 6 characters. Pattern recognition methods are not compliant with the scheme.

If the credentials used to unlock the device can also be used elsewhere (such as your MS 365 credentials) – then you must have one of the following configured on the account:

  • MFA supported by an 8 character password
  • Minimum password length of 8 characters supported by a deny list
  • Passwords with a minimum length of 12 characters.

If you are using your Microsoft 365 credentials to unlock the device, then you will automatically be using the “deny list” control and would need to have a code of at least 8 characters.

When you respond, please state the number of characters of passwords/pin, whether MFA or deny lists are used etc.

Please note that, should a thief manage to guess your pass-code, then they may have full access to any application on your phone. We highly recommend applying pass-codes to individual apps where possible –  currently, however, this is not a requirement of the Scheme.

Back to contents

Patches and updates


A6.1 Are all operating systems and firmware on your devices supported by a supplier that produces regular security updates?

Please check that your Operating Systems are supported by looking at the following URLs:

We only accept the last three Mac Operating Systems: (As of Jan 2025)

  • Sequoia
  • Sonoma
  • Ventura

Remember that Operating Systems for Firewalls/Routers are also in scope for Cyber Essentials and you must let us know that the  version of the Firmware is supported by the manufacturer or ISP. This is often updated via the ISP (especially for home user router/firewalls) – but Firewalls that have been purchased separately are likely to require some form of manual operation to update the OS/Firmware and we need to know that this has been done where required.

Check that your Firewall/Routers are currently being supported for security updates by visiting the Vendor Website. It is useful to put any supporting URLs in your submission that demonstrate the firewall is supported.

The following is a common list of devices and systems that will fail Cyber Essentials. Please do not submit your response if it includes any of these:

  • Any Windows 10 device running 21H2 or below.
  • Windows 7 or 8 unless an Extended Security Update agreement has been purchased with a valid until date.
  • The use of Windows Server 2008 unless this is in the Azure IAAS as this provides the Extended Security Updates.
  • Any MacOS device running any other than the latest three versions
  • Any iOS or iPadOS device running any other version below IOS/iPadOS 16.
  • Android 10 or below.
  • Huawei P20
  • iPhone 5s,
  • iPhone 6.
  • iPhone 4s
  • Draytek Vigor 2830.
  • Cisco ASA 5520.

When receiving a Cyber Essentials submission, the assessor performs the following check:

  • Can the stated devices run a supported Operating system – if not, a Fail will be awarded.

Back to contents

 


A6.2 Are all applications on your devices supported by a supplier that produces regular fixes for any security problems?

This question only requires a Yes / No response here. The details of the software to list is then covered by questions A6.2.1 to A6.2.4. Please be sure to put the software versions where required (e.g. Chrome v96). If the assessor is unable to verify the software you have stated is supported, the application will be returned with a request for more information.

We are not expecting a comprehensive list containing the versions of every application on every machine. Instead, let us know the key applications in place:

  • A6.2.1 All the different Browsers used along with the versions (e.g. Chrome version 96)
  • A6.2.2 The malware protection software used e.g. Sophos Endpoint Protection V10)
  • A6.2.3 The email application and version (e.g. Outlook 2019) and the Email Server Application used (e.g. Exchange 2019)
  • A6.2.4 All office applications used (e.g. Microsoft 365; Libre office, Google workspace, Office 2019)

The Willow version of the question-set also asks if you have addressed “vulnerability fixes” that address known vulnerabilities. These are things like adding registry entries or issuing system commands instead of (or as well as) installing the patch itself. If the vendor instructs such commands to be performed, they must be done in order to be compliant with the Willow question-set.

Back to contents


A6.4 Are all high-risk or critical security updates for Operating Systems and firmware installed within 14 days of release? 

We only requires a Yes / No response here. Remember that this question applies to:

  • Servers,
  • Computers,
  • Laptops,
  • Tablets,
  • Mobile Phones,
  • Routers and Firewalls

So, for example, your Routers and Firewall Operating Systems may not be set to auto update but are updated by other means. If this is the case, answer “Yes” to A6.4, then “No” to A6.4.1. Then, in the response to A6.4.2, describe how you update those devices (in this example, the firewalls). Please remember to give sufficient details on the tools used and the process followed.

A typical response to A6.4.2 would be “Auto updates for Operating Systems are set on our mobile devices, however on our laptops, servers  and firewalls we use the following methods…..”

Back to contents


A6.4.2 Where auto updates are not being used, how do you ensure all high-risk or critical security updates of all operating systems and firmware are applied within 14 days of release? 

Please Note – this question relates to Operating Systems/Firmware – not applications. Applications are addressed in A6.5 – A6.5.2

This response needs to include a process. The description should include the frequency and department/individuals responsible for carrying out the patching as a minimum. You may also include any third part tools you use to “push out” updates.

The important thing is to inform us of how the patching of every device-type is performed. So, if you only state that “Our Laptops and Desktops are updated by use of a third-party tool overseen by our Managed Service Provider who inform us of important updates required as they arise” – then, if your submission included on-premise servers and firewall/routers, we would then ask you to clarify how the servers and routers are updated.


6.5 Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Adobe Flash) installed within 14 days of release? 

We only require a Yes / No response here. Remember that this question also applies to mobile device

So, for example, your Windows Laptops may not be set to auto update but are updated by other means. If this is the case, answer “Yes” to A6.5, then “No” to A6.5.1. Then in the response to A6.5.2 describe how you update those devices (in this example, the laptops). Please remember to give sufficient details on the tools used and the process followed.

A typical response to A6.5.2 would be “Auto updates for applications are set on our mobile devices, however on our laptops and servers  we use the following methods to ensure the applications are updated…..”

Please note it is common for submissions to copy/paste the responses from A6.4, 6.4.1 and 6.4.2 – but those questions relate to Operating Systems and question 6.5, 6.5.1 and 6.5.2 relate to applications, so often don’t make sense.

Back to contents


A6.6 Have you removed any software installed on your devices that is no longer supported and no longer receives regular updates for security problems?

Note, this question relates to software that is no longer supported, rather than used – which should have been addressed in question A5.1.

When responding to this, please ensure mobile apps that access company data are also mentioned.

Assessors look at the versions of the software mentioned in A6.2.1-4 and verify these are supported.

Back to contents


A6.7 Where you have a business need to use unsupported software, have you moved the devices and software out of scope of this assessment? Please explain how you achieve this.

All unsupported applications must have been moved to a segregated sub-set. Be warned, however, unsupported software found as part of a Cyber Essentials Plus audit in 2023 onwards will result in a Fail.

Software that is not removed from devices when it becomes un-supported will need to be placed onto its own sub-set and, if you wish to achieve “whole company” certification, prevented from inbound and outbound internet access.

If you are only certifying part of the company, the sub-set with unsupported applications would not need to have internet access removed.

Remember, a sub-set is defined as a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN.

Back to contents

Access control


A7.1 Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process?

Please describe the process – e.g. who approves the account, who creates it and who checks it is right, for example.

Even if you are a sole trader, creating user accounts, including temporary accounts should they be required, must be a managed process and they must only created if absolutely necessary. You therefore wish to describe how you use the Windows inbuilt add/remove user tool, for example, to create the accounts.

As well as stating who approves the creation, one of the following must also be present:

  • Who requests it?
  • Who actions it?

Back to contents


A7.2 Are all user and administrative accounts accessed by entering unique credentials?

You must ensure that no devices can be accessed without entering a username and password.  You will not pass this question if users can share accounts – this includes (internet connected) devices found in warehouses and retail etc.

It is not sufficient to block internet access from such devices within the computer’s own settings – if you must have shared accounts (probably for legacy reasons) – then the device must be blocked from accessing the internet using networking infrastructure controls or boundary firewall settings.

Examples that would attract a Major Non Conformance for this question include:

  • IT departments that keep a central password list of users and Third Parties that hold passwords of your users that access in-scope computer systems.
  • Several machines in a warehouse, for example, all logged in with the same credentials, would fail this.
  • IT departments all knowing (or having access to) user credentials of staff
  • IT staff sharing system passwords with other IT staff
  • Users sharing email account credentials
  • Several devices with common local administrative account.

Back to contents


A7.3 How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?

Please describe the process – who highlights that the account should be removed / disabled, who implements this, and who checks it has been removed/disabled?

Even a sole trader must demonstrate that they are aware that they must remove an account (including a temporary one) when it is no longer required and state they have checked to see that only required accounts are active (and the method of checking conducted).

For companies using IT support providers to help them, this response typically attracts responses saying “We contact our IT provider”. This answer is not sufficient as we need to know which person/role requests the account to be removed, the person/role that removes it (giving a brief description of the process – whether it is removed centrally or locally to each device etc) and the person/role that checks it has been removed.

We are looking for 2 of the following 3 things to be present in your answer:

  • Who requests that the account is disabled?
  • Who disables the account?
  • Where is this recorded?

Back to contents


A7.4 Do you ensure that staff only have the privileges that they need to do their current job? How do you do this?

Smaller companies often set up a standard user for day-to-day activities using the inbuilt add/remove user facility. Sole traders generally require full access to the company information, but as the company grows, user accounts must be managed and provide only those rights required by that individual. Your response here should give a taste of the different access levels employed in the company.

We require at least 2 of the following to be mentioned in the response:

  • Who decides upon the privileges required?
  • When are the privileges decided upon?
  • Who implements the privileges?

Please also give an overview of how least privileges are implemented (e.g. do you have users that are members of groups that are given particular permissions).

If your company has users that can administer their own device (known as local administrators) and use this account for their day-to-day activity, such as sending emails, browsing the web etc, then they can be said to have more privileges than required for those tasks and would not be compliant with this question. Neither would they be compliant with A7.6 and A7.7 which would result in a fail overall.

Back to contents


A7.5 Do you have a formal process for giving someone access to systems at an “administrator” level? Describe the process.

Many Cyber Esentials applicants only half answer this question. You need to describe the process and confirm that this is documented (i.e. a written procedure for assigning Administrative rights). A formal process is required no matter how large or small the organisation is –  even if the account creation is outsourced to a third party IT Support provider. A High level description of this process must be given in terms of who authorises admin access, under what conditions is the access granted and who implements the change?

As well as stating who approves it, one of the following must also be present in the response:

  • Who requests the access?
  • Who implements the access?
  • Where is this recorded?

Back to contents

 


A7.6 How do you ensure that staff only use administrator accounts to carry out administrative activities (such as installing software or making configuration changes)?

There must be a separate account to perform administrative duties than the usual day-to-day user account for creating/amending office documents etc.

This question often causes confusion – especially with the way MacOS/Linux implements the notion of administrators.

Use this helpful rule of thumb for Linux:

      1. If you need to run a process as admin, and need to enter a password, go to step 2 – otherwise you will fail this question.
      2. Only if this password is different from the usual day-to-day password, will a pass be awarded.

This means that a linux standard user contained in the sudoers file would not be awarded a pass.

For Windows:

      • A Windows local admin account being used for day-to-day activity and just using basic UAC (with no password, just clicking OK when prompted) would fail
      • A Windows local standard user, that must enter an administrative user and a password at the UAC prompt, would pass

For those companies that may not hold administrative accounts for their system (for example, only an outsourced IT provider may have such rights) there still needs to be a responsible person within the organisation that has ultimate responsibility for the use of Admin accounts. So we would expect the response to state that senior management have formally documented and informed the IT Company that they must not access the internet / read emails whilst logged in as Administrator on your network.

A standalone local administrator account (not domain joined) can be created on each computer and can be shared between members of the IT support team but the passwords must be different for every device.

Domain admin accounts (those that can be used to log into many different devices) may not be shared between IT support teams. Each member of the team must have their own account to perform administrative duties. This may cause issues with MSPs who have many team members that may log into any client’s computer that they support – but it is the agreed position with NCSC at the moment.

Use of Privilege Access Management tools.

Only tools that create/use a separate account to elevate to are compliant. Those tools that allow the same account to be used, with higher privileges, for a certain amount of time are not compliant – unless the privileges granted do not allow the following:

  • Execute software that can make significant and security related changes to the operating system.
  • Make changes to the operating system for some or all users
  • Create accounts and allocate privileges

If you can configure your privileges to only allow a user to run a piece of business software, or install a printer (and not have any further privileges) then you should state this.

For more information on use of Administrative accounts, please see our blog: https://www.indelibledata.co.uk/cyber-essentials/when-are-user-accounts-actually-admin-accounts/

 

Answering in relation to Cloud Services

When it comes to account separation, only cloud systems where the user can grant access to different cloud systems are in scope. So for example, in Office 365 admins can grant access to the OneDrive service, Sharepoint, etc– all different cloud services/products in their own right – a standard, day to day, user must not be able to do this – standard users must elevate to a different, administrative account, to perform such functions).

Also, if cloud system also acts as an authentication service to other services (you’ll typically be greeted with a “Login with your Google/Apple Business/Atlasian/Microsoft account” prompt), then Administrative accounts must be separate from standard users. So, if you are an Administrator of your Google, Microsoft, Atlasian, Apple Business services – then these Admin accounts must be different to the day-to-day business account.

A HR administrator of a HR Cloud system, whilst still requiring MFA, would not typically require different accounts (one to administer the users/system and another account to enter their own holiday requests) as they are not generally granting users access to other cloud services from within that product.

Back to contents

A7.7 How does the organisation prevent administrator accounts from being used to carry out every day tasks like browsing the web or accessing email?

The response to this question is often incomplete, stating that, perhaps two accounts are used: one for day-to-day duties and one for administering the system. This is great practice, however, answering the question this way does not address the core requirement – i.e. not using the internet whilst being an administrator.

Cyber Essentials requires that any users that have Administrative rights (including outsourced IT providers) do not access the internet or emails whilst using such accounts on devices that access corporate information.

You are required to describe how you ensure this does not occur (it could be through training, policy or technical controls).

An example of a compliant answer could be “Nobody accesses the internet, or emails, whilst logged in with an administrative account. Those that do have access an administrative account (say, to install software or updates) only browse the internet with a standard user account – then only elevate to the administrate account when required to actually install/update the software. Such users know to do this via the Access control policy and subsequent training”

Our typical response to applicants is “… how does the organisation ensure that those who have admin accounts do not use them to access emails or browse the web?”

You may not need a technical solution to achieve this, it could be based on good policy and procedure as well as regular training for staff to help ensure admin comply.

If your company uses an outsourced IT provider to manage your systems, then you must let us know how you are assured that they do not access the internet using system administrator credentials whilst on your network. So please check they also have a policy of not browsing the web/opening emails whilst performing administrative duties.

The safest way to pass this question, for small businesses especially,  is to not browse the internet as Admin. You don’t need a technical control in place to prevent this – policy / training instructing admins not to interact with the internet with such privileges is sufficient.

 

Back to contents


A7.10. Describe how you protect accounts from brute-force password guessing in your organisation.

Valid options are:

  • using multi-factor authentication
  • ‘throttling’ the rate of attempts. This means the time the user must wait between attempts increases with each unsuccessful attempt. This should permit no more than 10 guesses in 5 minutes.
  • locking accounts after no more than 10 unsuccessful attempts

Back to contents


A7.11. Which technical controls are used to manage the quality of your passwords within your organisation? 

Note that this does not ask for policy documents – we require technical controls to be applied.

Typical options are

  • using multi-factor authentication
  • a minimum password length of at least 12 characters, with no maximum length restrictions
  • a minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common  passwords using a deny list.

If you are using an Microsoft 365, Apple, or Google account, this will typically have a common password deny list built-in – but we highly recommend that Multi Factor Authentication is also used.


A7.12. Please explain how you encourage people to use unique and strong passwords. 
Typical methods include educating people on how to avoid re-using or selecting easy to guess passwords, such as a pet’s name. This could also include teaching people how to use the password generator feature of password managers.


A7.14.  Do all of your cloud services have Multi-factor Authentication(MFA) available as part of the service?
The only 4 valid methods of achieving Multi Factor Authentication are:

  • Using a managed/enterprise device as an extra factor
  • Using an app on a trusted device as an extra factor (trusted IP range can also be used here)
  • Using a physically separate extra factor
  • Using a known or trusted account as an extra factor

These are described in detail on the following NCSC page https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services

Authentication methods that simply ask for another piece of information you know, such as Place of Birth or favourite song, does not comply with the requirements of the Cyber Essentials Scheme (even though it is mentioned as a fifth option on the previously mentioned NCSC page.

Back to contents


A7.15 If you have answered ‘No’ to question A7.14, please provide a list of your cloud services that do not provide any option for MFA.
Most Cloud services now allow multi factor authentication. If you are unable to enable MFA, please list them. Give the name and function of each service – e.g. “PersNL HR System”.

 


A7.16 Has MFA been applied to all administrators of your cloud services?
All administrative accounts of cloud services must have Multi Factor Authentication enabled. An administrative user should be thought of as an individual who has the rights to add/remove users and grant/revoke permissions within the cloud service.

Some Administrators have expressed concern at the requirement to have MFA on “Break Glass Accounts” (those accounts that are seen as the last resort to access services where a mis-configuration has locked all users, including administrators, out of the service.

The following Microsoft article details the importance of having such emergency accounts: https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access and states companies should exclude at least one account from phone-based multi-factor authentication – however, Cyber Essentials still requires another of the 4 valid methods of applying MFA described in A7.14 for emergency access accounts.

It is common for some cloud providers to allow MFA for administrators, but not standard users. If this is the case, and it has been configured, You can respond “YES” to this question.

Back to contents

A7.17 (Montpellier). Has MFA been applied to all users of your cloud services?

This question relates to standard users. If your Cloud Provider does not allow MFA – please respond “No” to this question

 

Malware protection


A8.1 Are all of your Desktop Computers, laptops, tablets and mobile phones protected from malware by either:
A – Having anti-malware software installed and/or B – Limiting installation of applications by application allow listing (For example, using an App Store and a list of approved applications, using a Mobile Device Management(MDM solution) Or C – None of the above, please describe?

Though not always the case, it is likely that desktops / laptops and servers will be covered by the installation of Anti Malware (option A), and mobile devices will be covered by using the Mobile’s relevant App store. Because of the iPhone’s / Android’s application sandboxing architecture, option A does not always fully cover the requirements, as the AV product would not be able to check other apps (because they are sandboxed).

As you can see it gets complex – so best to choose option B for mobile devices unless you work in a very specific way.

Android does allow AV products to scan the phone option A is viable for these if implemented.

The Majority of applicants state Option B to cover their mobile devices, which is fine.

The Apple OSX built-in antivirus (called XProtect) is now sufficient to pass cyber Essentials (i.e. applicants are no longer required to purchase a full-blown third party Anti-Virus application to be compliant). This is because Apple have clarified that is detects: on first launch, if it has changed in the filling system and that Apple releases signature files regularly. (More information can be found here: https://support.apple.com/en-gb/guide/security/sec469d47bd8/web).

So-called “Next Generation” Anti-virus products (that do not rely on virus definition signatures) are compliant with the scheme as long as they are installed in-line with vendor requirements.

Here are some common responses by our assessors:

      • From earlier responses, the company has smartphones (iPhones, Android). It is likely that these are covered by Option B or C which was not ticked. Please could you tick the Option B and/or C Boxes and complete the extra fields that appear. These extra field state whether users can only install apps approved by the store and that you have documented the apps that are permitted to access company data (such as outlook, onedrive, excel etc).
      • The response to A2.76states that you have no mobile devices in scope – yet you have chosen Option B here. Please can you clarify?

Back to contents


A8.2-5

As stated, you need to have Option B to cover the iPhones (and Androids that don’t have AV installed). As long as the devices are not jailbroken, Rooted or in developer mode (or other Certificates have been installed manually to install non app/play-store apps) you will pass 8.4.

8.5 is rather misleading – you just need to identify those apps that hold or access company information – such as Outlook, OneDrive, etc. So your list of applications will generally be quite small (you don’t have to prevent or make a list of devices with BBC iPlayer or Trainline etc installed) you just need to, at least, enforce the use of apps that access company data by company/paper policy – not necessarily a technical policy (though Mobile Device Management Software would give you a higher degree of assurance that the devices are compliant).

Back to contents